Several Instagram accounts were reportedly hijacked after attackers exploited a flaw in Meta’s AI-powered support chatbot, allowing them to gain control of user profiles without accessing victims’ email accounts.
Reports of the compromise emerged over the weekend, with affected users claiming attackers were able to reset account passwords by manipulating the platform’s AI Support Assistant. Among the accounts reportedly targeted were an inactive Instagram account linked to the Obama-era White House and the account of John Bentivegna.
Security researcher Jane Wong also said her Instagram account was taken over, stating that her password was changed without her authorization while multiple password reset attempts were made against the account.
According to reports, attackers used a virtual private network (VPN) to mimic a victim’s location before interacting with the chatbot. The AI assistant was allegedly persuaded to add an attacker-controlled email address to a target account, send a verification code to that address, and subsequently facilitate a password reset.
The attack was notable because it reportedly did not require access to the legitimate email account associated with the victim’s Instagram profile, effectively bypassing a key layer of account security.
Instagram later confirmed that the vulnerability had been addressed, although the company has not disclosed how many users may have been affected by the incident.
